Blog

RottenSys Malware Has Infected 5M Android Devices Since 2016

There's a new threat on the horizon, according to security researchers from Check Point. A group of hackers in China are busy building a massive botnet that so far, totals almost five million Android smartphones. The hackers are quietly taking control of these devices using a strain of malware known as "RottenSys."

While the malware is flexible and can be adapted to any number of purposes, in its present incarnation, it's being used to display copious numbers of advertisements. This generates a healthy revenue stream for the hackers, but that could be just the beginning. The researchers have found evidence that the hackers are gearing up for a campaign that could be much more far-reaching and damaging. According to Check Point: "This botnet will have extensive capabilities, including silently installing additional apps and UI automation."

RottenSys is fairly new to the malware ecosystem, first appearing in September 2016. So far, the hackers have spent most of their time simply spreading their creation to more devices. At current count, the number of infected Android phones stands at 4,964,460, and it grows by the day.

It wasn't until last month that RottenSys got an update that gave its owners the ability to take direct control of all the devices. Prior to that, they were happy to simply rake in ad revenue, which is estimated to exceed $350,000 a month.

Currently, the malware hasn't spread beyond the confines of China, but that could easily change as the hackers seek to add an increasing number of devices to their already massive botnet.

What makes RottenSys notable is the fact that it has managed to spread to so many devices in such a short period of time. As it turns out, the secret to the hackers' success has to do with the code it's built around, which includes both "Small", (an open source virtualization framework) and "MarsDaemon", which is a library that keeps apps "undead," which ensures that the malware's processes continue to operate even after users close them. This ensures that the ad-injection capacity cannot be disabled.

Only time will tell what the hackers have planned, but it can't be anything good. They'll have a formidable botnet to do damage with. Stay tuned.